Security Headers Skill

Overview

Audit and configure HTTP security headers for web applications.

Required Headers

Header Purpose Severity if Missing

Content-Security-Policy Prevent XSS/injection HIGH

Strict-Transport-Security Force HTTPS HIGH

X-Content-Type-Options Prevent MIME sniffing MEDIUM

X-Frame-Options Prevent clickjacking MEDIUM

Referrer-Policy Control referrer info LOW

Permissions-Policy Control browser features LOW

X-XSS-Protection Legacy XSS filter LOW

Workflow

• Detect framework (Next.js, Laravel, Express, etc.)

• Check current header configuration

• Compare against security best practices

• Generate framework-specific configuration

• Validate headers are properly set

Detection Points

Framework Config Location

Next.js next.config.js headers, middleware.ts

Laravel SecurityHeaders middleware

Express helmet middleware

Django SECURE_* settings

References

• Headers Reference

• Config Templates